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Abstract 



In this paper, a renewable, multi-use, multi-secret sharing scheme for general access 
structure based on one-way collision resistant hash function is presented in which each 
l^y^ participant has to carry only one share. By applying collision-resistant one-way hash func- 

■ tion, the proposed scheme is secure against conspiracy attacks even if the pseudo-secret 

shares are compromised. Moreover, high complexity operations like modular multiplica- 
tion, exponentiation and inversion are avoided to increase its efficiency. Finally, in the 
proposed scheme, both the combiner and the participants can verify the correctness of the 
information exchanged among themselves. 
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1 Introduction 

co ' 

In recent days, mathematics have been widely used in public- key cryptography, which in 
turn has been widely used in various applications such as e-cash, e-voting etc. One of the 
important issues of the public key cryptosystem is the key management and thus the private 
key of the public-key infrastructure should be safely preserved. 

A secret sharing scheme (SSS) allows to split a secret s into different pieces, called shares, 
which are given to the set of participants V, such that only certain qualified subsets of 
participants can recover the secret using their respective shares. The collection of those 
qualified set of participants is called access structure T s corresponding to s. Blakley pQ and 
Shamir [9|, in 1979, independently, came out with a scheme known as (t,n) threshold secret 
sharing scheme. Stadler |10j proposed a verifiable secret sharing scheme for general access 
structure. However, the schemes [T], [9], |1U| dealt with single secret and once the secret 
was updated with a new one, the system had to reissue new share to each participant. This 
may be considered as system resources consuming and sometimes impracticable. To eliminate 
these weaknesses, in 1994, He-Dawson [5] proposed a multistage (t, n) threshold secret sharing 
scheme. In 2007, Geng et al. [I] proposed a multi-use threshold secret sharing scheme using 
one-way hash function and pointed out that the He-Dawson scheme was actually an one-time- 
use scheme and can't endure conspiring attacks. A SSS is said to be multi-use if even after 
a secret is reconstructed by some participants, the combiner cannot misuse their submitted 
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information to reconstruct some other secrets. To make a scheme multi-use, the participants 
do not provide the combiner with the original share but a shadow or image of that share, 
which is actually an entity that depends on the original share. This image or shadow is known 
as the pseudo-secret share. In 2006, Pang et al. [H] proposed a multi-secret sharing scheme 
for general access structure in which all the secrets are revealed at a time. In 2008, Wei et 
al. p2] proposed a renewable secret sharing scheme for general access structure. The proposed 
scheme also allows new secrets to be added. In addition, the participant set and the access 
structure can be changed dynamically without updating any participant's share. A SSS is said 
to be verifiable if the participants can check the correctness of their shares given by the dealer 
and the reconstructed secret given by the combiner and the combiner can check whether the 
participants have submitted their correct pseudo-shares or not. The proposed scheme is a 
verifiable, multi-secret sharing scheme where each secret can be reconstructed independently 
and different secrets corresponding to different access structures may be shared. The uses 
of only 'XOR' operation and the hash function make the scheme efficient compared to the 
schemes [S], [TU] which use modular multiplication, exponentiation and inversion. 

The rest of this paper is organized as follows: The proposed scheme is discussed in section 
[21 The analysis and discussions on the proposed scheme are given in section [3] and finally, the 
conclusion is given in section [H 

2 The proposed scheme 

In this section, we present a new efficient, renewable, multi-use multi-secret sharing scheme 
for general access structure using one-way collision resistant hash function 
Aim of the scheme : 

Suppose, V={P\, P2, • • • , P n } be a set of n participants and s±, S2, ■ ■ ■ , Sk be the k secrets to 
be shared by a trusted dealer V such that Si £ {0, \} q for i = 1, 2, . . . , k with access structures 
r Sj ={An, Ai2, ■ ■ ■ ,Ai tl } where {0, l} g denotes the set of all binary strings of fixed length q 
and An is the Ztli qualified subset of the access structure of ith secret Sj. 

The scheme consists of three basic phases, 
Dealer's phase 
Step 1: The dealer V chooses: 

(i) H, a suitable secure collision resistant one-way hash function, which takes as argument a 
binary string of arbitrary length and produces as output a binary string of a fixed length q, 
where q is the length of each secret. 

(ii) x a £r {0, l} q , a = 1, 2, . . . , n, where 1 Er denotes the random selection. 

Step 2: The dealer V sends x a to P a secretly, for a = 1,2, ... , n and publishes H and the 
access structures r Si , for % = 1, 2, . . . , k. The selection of x a in (ii) of Step 1 may also be 
done by the participants and they themselves may send their shares to the dealer through a 
secure channel. 

Pseudo-share generation phase 

Let / = [log2k] + 1 and m = [log2t] + 1, where t = max{ti,t2, ■ ■ ■ and ti = \T Si \, as 
explained in Aim of the scheme. 

Step 1: For i = 1, 2, . . . , k; j = 1, 2, . . . , tf, the dealer computes 

Sij = Si (B{(B a -p a £A tJ HiXaWkWjm) } 

where ii denotes the /-bit binary representation of i, j m denotes the m-bit binary represen- 
tation of j, '||' denotes the concatenation of two binary strings and denotes the XOR 
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operation, i.e., componentwise addition modulo 2. 

Step 2: V publishes the values Sij, H(si), H 2 (x a \\ii\\j m ) for a = 1, 2, . . . , n; i = 1, 2, . . . , k; 
j = 1,2,... ,ti, where # 2 (x a ||i/||j m ) means H(H(x a ||^||j m )). 
Combiner's phase 

Suppose the group of participants Aij of T Si submit their shares to the combiner to get 
Si. Then the combiner can check whether a particular participant has given his pseudo- 
secret share H(x a \\ii\\j m ) correct or not, by verifying it with the corresponding public value 
H 2 {x a \\ii\\j rn ). 

If each of the pseudo-secret shares is correct, the combiner C calculates 

Sij ©{©a:P«eA i;) ■ H {x a \\ii\\j m ) } 

which is eventually equal to Sj. 

The participants in Ay of T Si can check whether the combiner is giving them back the correct 
secret Si or not, by verifying it with the public value H(si). 

3 Analysis of the scheme 

3.1 Security of the scheme 

We discuss the security of the scheme with respect to the pseudo-secret shares, the shares 
and the secrets. 

1. Security of the pseudo-secret shares: An adversary A can try to derive 
participant's pseudo-secret share from H 2 (x a \\ii\\j m ), which is public. But if A succeeds in 
doing that, then A will be able to find a pre-image of an element under H, which is assumed 
to be computationally hard. 

2. Security of the shares: An adversary A can try to derive participant's share from 
a previously submitted pseudo-secret share H(x a \\ii\\j m ). But as the shares are chosen by 
the dealer randomly and passed on to the respective participants secretly, adversary A would 
have to invert the hash function H, which is assumed to be computationally hard. 

3. Security of the secrets: Suppose all, but one participant, in Aij comes to get 
Si. They have to guess the pseudo-secret share of the missing participant from {0, l} q , where 
q is the fixed bit-length of the hashed value. So, they have 2 q choices. Whereas, a layman, 
without any share, who knows only that the secret Si is a (/-bit string, has also 2 g many choices 
for the secret. Thus, a forbidden set of participants has no extra privilege than an outsider. 
Same thing happens if any other unauthorised subset of participants comes to reconstruct any 
secret. Thus, the scheme is computationally secure under the security of the chosen collision 
resistant hash function H. 

Remark : Note that, in the proposed scheme, the size of the secret space is same as that of 
the share space. 

3.2 The scheme is a multi-use one 

Suppose, a participant P a submits his pseudo-secret share to the combiner for the recon- 
struction of a particular secret S{. Again, let the same participant P a be present in the access 
structure T Sj , i ^ j. If his pseudo-secret share in both cases are same, then the combiner may 
misuse his share without his consent while reconstructing Sj. Thus, the pseudo-secret shares 
of a participant for different secrets and even for different qualified subsets for the same secret 
should be different. 
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Various schemes e.g., [5], [I] and [7J, incorporate succesive use of hash functions to deal 
with this situation, which contribute to greater complexities of the schemes. In the present 
scheme, that bottleneck is removed by the use of concatenation of binary strings of i and j 
to x a and as a result, it is sufficient to use the hash function only once. 

3.3 Renewal of the scheme 

In a practical scenario, it may be necessary to add new secrets and corresponding access 
structure. In addition, it may be required to change the participant set or the access structure 
corresponding to some secret (s). 

In the proposed scheme, these changes can be done dynamically without updating any 
participant's share. This can be achieved by the dealer by simply modifying the pubic values 
S'ij and T s { ={A' a , A' i2 , . . . , A' it .}, where s' { is the added secret and/or T s { is the modified 
access structure. 

3.4 Performance analysis 

The present scheme is an efficient one due to the following reasons: 

(1) The only operations that are used are XOR and finding the hashed values, out of which the 
former is of negligible complexity. As hash function plays an important role in the proposed 
scheme, we calculate the number of times for which the hash function, H is used by each of 
the participants, the dealer and the combiner for a single secret Si in the worst possible case. 

By Dealer: nt times for calculating Sij, nt times for calculating H 2 (x a \\ii\\j m ) and once 
for publishing H(si), thereby totaling to 2nt + 1 times. 

By each participant: Once for calculating H{x a \\ii\\j m ) and once for verifying H(si). 

By Combiner: n times for checking the correctness of the submitted pseudo-secret shares 
by calculating H 2 (x a \\ii\\j m ). 

(2) In [5], [1] and [7J, successive use of hash function is incorporated to use the same share 
more than once, but in the present paper, the same issue is resolved just by using the hash 
function only once. 

(3) In the present scheme, modular exponentiation, modular multiplication and modular in- 
version are not used anywhere, contrary to various schemes where some of them e.g., [ID], |12j . 
used modular exponentiation and while others e.g., [9J, [8], [12] used lagrange's interpolation 
techniques for the reconstruction of secrets. So, the computational cost in the present scheme 
is quite low compared to other schemes using the above-mentioned operations. 

The schemes [8] and [12] are also having almost the same features as that of the proposed 
scheme. We give a brief comparison of these two schemes with the proposed one in tabled 

3.5 Comments on dealer verification 

In reality, the dealer should also be verifiable as due to dishonesty of the dealer, some/all of 
the participants may be deprived from reconstructing the original secret or secrets. To deal 
with this crisis, there are many schemes [ID], [6J, [2], [8], in present literature which allows 
dealer verification. 

In most of the existing schemes allowing dealer verification, the issue of verification have been 
dealt with using exponentiation (say, to the base g, where g is a primitive element of the 
underlying group) e.g., [ID], [DJ, [2] or by applying one-way hash function (say H) e.g., [8] on 
the secret shares. Let us have a look on the matter from a broader platform: suppose x is 



4 



Table 1: Comparison among [8], [12] and the proposed scheme w.r.t various parameters 



Features 


Proposed Scheme 


Pang et.al 


Wei et.al [12] 


Multi-secret 


Yes 


Yes 


Yes 


Access Structure 


General 


General 


General 


Secret revealing 


Any 


Predetermined 


Predetermined 


order 




(All at a time) 


(Fixed order) 


Use of interpolation 


No 


Yes 


Yes 


Use of modular 


No 


No 


Yes 


exponentiation 








Use of hash/ 


Yes 


Yes 


No 


one-way function 


(hash function) 


(hash function) 


(DLP is used) 



the share of a participant given by the dealer. In the above stated schemes, the dealer either 
publishes H(x) or g x to enable the participants to verify their own shares. Now, three cases 
may arise. 

Case 1: Suppose, instead of x, the dealer calculates relevant quantities and constructs the 
scheme using x', and sends x (i^ x') as the share and publishes H{x) (or g x ). Then, though 
the participant will be ensured that his share is valid by checking the verification procedure, 
the qualified set where he belongs will not get the correct secret back. Thus, the dealer can 
forge a participant without being noticed. So, in reality, the dealer is not verified using these 
methods. 

Case 2: In another scenario e.g., [3], where the participants choose their share x themselves 
and send it to the dealer, the same problem may arise. 

Case 3: In the worst case, it may happen that the dealer publishes the wrong entities like, 
the hash function H or the prime p, which are involved in initial set up of the scheme. In 
that case, the total system will collapse. How can these quantities be checked to be correct 
or not? 

So, in our scheme, we assume the dealer P to be a trusted one. But, it can be a noble 
issue to search for techniques which resolve the aforesaid problems and we invite researchers 
to have a look on it. 

4 Conclusion 

In this paper, we have presented a multi-secret sharing scheme with general access structures 
based on one-way collision resistant hash function. The major characteristics of its construc- 
tion are multi-use of the shares and that different secrets can be reconstructed according to 
their access structure, which provide more flexibility. It has been emphasised that, unlike 
several other authors, operations like modular multiplication, exponentiation and inversion 
are not used, thereby reducing the computational cost of the scheme to quite a large extent. 
By applying one-way hash function and the concatenation operation, the proposed scheme 
is secure against notorious conspiracy attacks even if the pseudo-secret shares are compro- 
mised. Analysis showed that this proposed scheme is an efficient one and it can provide great 
capabilities for many applications, such as e-voting, multi-party protocols, oblivious transfer, 
privacy preserving data-mining etc. 
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